Privilege Escalation like a Boss

Privilege Escalation like a Boss

Hello guys, This is Jay Jani and after a long time, I am back with one of my finding. This one is simple Privilege Escalation on a private program of HackerOne.

PS : This post is for Noobs like me so Leets please ignore the post :/

So I was invited to participate in a private program. I quickly went through the working flow of application. After finishing Recon, I tried to find the loopholes in it. I tried IDOR and Privilege issues as the application’s behavior but failed. The flow of the application is,

A Higher Privilege user has the access to

A Lower Privilege user has the access to only

I tried to force browse the request but it shows me nothing.

I wanted to get rid of this so I started looking analyzing each and every request I captured. Suddenly I observed that there is an authorization header in each request which prevents me to perform the attack.

I noticed that this is JWT (JSON Web Token, You can learn more about it in the reference I gave at the end of the post). So What is JSON Web Token (JWT)?

Generally the format of JWT looks like

header.payload.signature

1. Header
The header is a JSON object in the following format:

2. Payload
The payload component of the JWT is the data that‘s stored inside the JWT.

3. Signature
The signature is computed using the following pseudo code:

So I got what they are doing here, they encode “userId”, “IP” and “Browser information” and “OS information” but again Poor me 🙁 I got user id but it it UUID :/ My thought process was:

But I wanted to give one more try. After googling for sometime, I found that it is possible to crack UUID if they use Math.random().

The next step was to find the JS file if the application is using Math.random() to generate UUID and found one JS file.

They were using the code as below.

So next step is to break this. I tried a lot but failed. The same situation again from where I started :/

I contacted the man who wrote the post on how he was able to break the function. He was really good and helpful and Master too :p he helped me to break the function and I got the user id in plaintext form.

The next step is to encode the JWT with replaced user id and I was able to access the functionality of Admin User.